Bug 409701 - CVE-2007-5964 Privilege Escalation (from local system) through /net autofs mount configuration bug
CVE-2007-5964 Privilege Escalation (from local system) through /net autofs mo...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: autofs (Show other bugs)
8
All Linux
low Severity high
: ---
: ---
Assigned To: Ian Kent
Fedora Extras Quality Assurance
: Security
: 421361 (view as bug list)
Depends On:
Blocks: CVE-2007-5964
  Show dependency treegraph
 
Reported: 2007-12-03 21:58 EST by Josh Lange
Modified: 2007-12-15 12:51 EST (History)
4 users (show)

See Also:
Fixed In Version: 5.0.2-20
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-12-15 12:51:06 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Josh Lange 2007-12-03 21:58:24 EST
Description of problem:
A stock install of RHEL5 and Fedora 8 (and possibly earlier versions) have /net
managed by autofs (look at /etc/auto.master).

Unfortunately, the "nosuid" mount option is not specified, meaning that any
system auto-mounted under /net may have arbitrary suid root binaries.

Version-Release number of selected component (if applicable): RHEL 5, Fedora 8,
possibly others

How reproducible: Always


Steps to Reproduce:
1. set up an NFS server with an suid root binary in an exported directory.
2. log into a system running fedora 8/rhel5. Ensure autofs is running.
3. as a non-root user on the fedora8/rhel5 box, change directory to
/net/hostname_of_nfs_server.tld/exported_path/
4. run the suid root binary
  
Actual results:
The suid binary runs with the effective UID of 0, making it so the unprivileged
user now has full access to the system.

Expected results:
the share should have been mounted with the nosuid option, so that the
executable does no run with the effective uid of root.

Additional info:
changing (in /etc/auto.master):
"/net    -hosts"
to:
"/net   -nosuid  -hosts"
Will prevent exploitation. 


I have also mailed this alert to secalert@redhat.com ( from jhlange@calpoly.edu ).
Comment 1 Mark J. Cox (Product Security) 2007-12-04 05:33:50 EST
CVE-2007-5964, see bug #410031 for top level
Comment 2 Tomas Hoger 2007-12-12 08:28:31 EST
*** Bug 421361 has been marked as a duplicate of this bug. ***
Comment 3 Fedora Update System 2007-12-15 12:51:04 EST
autofs-5.0.2-20 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.